====================================================================== Strategic Reconnaissance Team Security Advisory(SRT2001-10) Topic: scoadmin /tmp issues Vendor: Santa Cruz Operations Release Date: 05/07/01 ====================================================================== .: Description scoadmin makes poor use of /tmp. File names are very predictable .: Impact As a user: ln -s /etc/passwd /tmp/tclerror.1195.log Wait for root to run scoadmin from xwindows and viola! When he does, he will clobber /etc/passwd with a garbage file. In order to get the /tmp/tclerror.pid.log you need for root to have an improper term or cause some other error to happen. A good way to force an error is to stop xm_vtcld from opening... kindly leave a file where it wants its socket and it will complain. As a normal user: touch /tmp/5111_342.0 When root goes to run sco admin he will get an error and clobber his passwd file due to the ln -s on the tclerror.PID.log you left for him. .: Workaround Don't use scoadmin. .: Systems Affected Unixware 5.x .: Proof of Concept ln -s /etc/passwd /tmp/tclerror.1195.log .: Vendor Status A copy of this advisory was mailed to their attention .: Credit Kevin Finisterre dotslashat_private .: DISCLAIMER ====================================================================== ©Copyright 2001 Secure Network Operations , Inc. All Rights Reserved. Strategic Reconnaissance Team | reconat_private http://recon.snosoft.com | http://www.snosoft.com
This archive was generated by hypermail 2b30 : Tue May 22 2001 - 15:52:30 PDT